[Swan] Multiple devices behind single NAT IP

Mike C smith.not.western at gmail.com
Mon Jul 29 21:25:01 EEST 2013


Hi,

Is there a recommended approach to run multiple openswan clients behind the
same NAT IP? My scenario in particular is multiple 3G devices behind the
same ISP CG-NAT IP (unfortunately).

I found a reference to something possibly related about NAT roadwarriors
and a big change to support them in Openswan 3.0 (this was back in 2006:
http://comments.gmane.org/gmane.network.openswan.user/8707 ).

I've been testing today with libreswan 3.3 on the clients and 3.5 on the
server. It appears that multiple ipsec devices behind a single NAT IP
doesn't work well. Maybe it shouldn't work at all?

My environment: VPNs are using PSKs and symbolic peer ids. Connections are
initiated by the client side only.

Server:
Linux Libreswan 3.5 (netkey) on 3.9.3-x86-linode (also tested with 3.3).
@router1: 69.x.x.x WAN, 192.168.55.254/24 LAN

Clients:
Linux Libreswan 3.3 (netkey) on 3.9.5-301.fc19.x86_64
@router2: 10.211.55.40 WAN, 192.168.22.254/24 LAN
@router3: 10.211.55.41 WAN, 192.168.33.254/24 LAN
Upstream IP for both: 2.x.x.x.

I find that the connection works for both only if I the tunnel for a single
router first, then the next. So add @router2 to the server, connect it,
then add @router3 and connect it. If I don't do this, the server tries to
associate the packets with the wrong tunnel (logs for 3.3 libreswan on
server showed this, not seeing any debug logs on 3.5 but assume the same).

Server conf file (I can provide the full ipsec.conf for each end if useful):

config setup
    protostack=netkey
    dumpdir=/var/run/pluto/
    nat_traversal=yes
    virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
    uniqueids=yes

conn routers-12
    left=69.x.x.x
    leftsubnet=192.168.55.0/24
    leftnexthop=%defaultroute
    leftsourceip=192.168.55.254
    leftid=@router1
    right=2.x.x.x
    rightsubnet=192.168.22.0/24
    rightid=@router2
    keyingtries=%forever
    forceencaps=yes
    nat_keepalive=yes
    dpddelay=30
    dpdtimeout=120
    dpdaction=restart_by_peer
    authby=secret

conn routers-13
        left=69.x.x.x
        leftsubnet=192.168.55.0/24
        leftnexthop=%defaultroute
        leftsourceip=192.168.55.254
        leftid=@router1
        right=2.x.x.x
        rightsubnet=192.168.33.0/24
        rightid=@router3
        keyingtries=%forever
        forceencaps=yes
        nat_keepalive=yes
        dpddelay=30
        dpdtimeout=120
        dpdaction=restart_by_peer
        authby=secret

Kind Regards,

Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20130729/68362c68/attachment.html>


More information about the Swan mailing list